User manual SONICWALL SONICOS 5.8 APPLICATION CONTROL OVERVIEW REV B

[. . . ] Application Control in SonicOS 5. 8 Document Scope This document describes how to configure and manage the Application Control feature in SonicOS 5. 8. This document contains the following sections: · · · · · · "Application Control Overview" on page 1 "Licensing Application Control" on page 25 "Using Application Control" on page 27 "Useful Tools" on page 50 "Use Cases" on page 57 "Glossary" on page 85 Application Control Overview This section provides an introduction to the SonicOS 5. 8 Application Control feature. This section contains the following subsections: · · · · "What is Application Control?" on page 1 "Benefits of Application Control" on page 3 "How Does Application Control Work?" on page 4 "Supported Platforms" on page 24 What is Application Control? Application Control provides a solution for setting policy rules for application signatures. Application Control policies include global App Control policies, and App Rules policies that are more targeted. [. . . ] If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. To use the wizard to configure Application Control, perform the following steps: Step 1 Step 2 Step 3 Step 4 Step 5 Login to the SonicWALL security appliance. In the SonicWALL banner at the top of the screen, click the Wizards icon. Select the Application Control Wizard radio button and then click Next. In the Application Control Policy Type screen, click a selection for the policy type, and then click Next. You can choose among SMTP, incoming POP3, Web Access, or FTP file transfer. The policy that you create will only apply to the type of traffic that you select. The next screen will vary depending on your choice here. Step 6 In the Select <your choice> Rules for Application Control screen, select a policy rule from the choices supplied, and then click Next. Depending on your choice in the previous step, this screen is one of four possible screens: · · · · Select SMTP Rules for Application Control Select POP3 Rules for Application Control Select Web Access Rules for Application Control Select FTP Rules for Application Control Step 7 The screen displayed here will vary depending on your choice of policy rule in the previous step. For the following policy rules, the wizard displays the Set Application Control Object Keywords and Policy Direction screen on which you can select the traffic direction to scan, and the content or keywords to match. · · · · All SMTP policy rule types except Specify maximum email size All POP3 policy rule types All Web Access policy rule types except Look for usage of certain web browsers and Look for usage of any web browser, except the ones specified All FTP policy types except Make all FTP access read-only and Disallow usage of SITE command In the Set Application Control Object Keywords and Policy Direction screen, perform the following steps: · In the Direction drop-down list, select the traffic direction to scan from the drop-down list. Select one of Incoming, Outgoing, or Both. 38 Application Control in SonicOS 5. 8 Using Application Control · Do one of the following: Note If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur. See "Negative Matching" on page 14. ­ In the Content text box, type or paste a text or hexadecimal representation of the content to match, and then click Add. Repeat until all content is added to the List text box. ­ To import keywords from a predefined text file that contains a list of content values, one per line, click Load From File. · Click Next. If you selected a policy type in the previous step that did not result in the Set Application Control Object Keywords and Policy Direction screen with the standard options, the wizard displays a screen that allows you to select the traffic direction, and certain other choices depending on the policy type. · · · In the Direction drop-down list, select the traffic direction to scan. SMTP: In the Set Maximum Email Size screen, in the Maximum Email Size text box, enter the maximum number of bytes for an email message. Web Access: In the Application Control Object Settings screen, the Content text box has a drop-down list with a limited number of choices, and no Load From File button is available. FTP: In the special-case Set Application Control Object Keywords and Policy Direction screen, you can only select the traffic direction to scan. Click Next. · · Step 8 In the Application Control Action Settings screen, select the action to take when matching content is found in the specified type of network traffic, and then click Next. You will see one or more of the following choices depending on the policy type, as shown below: Policy Type All Types All Types SMTP SMTP SMTP POP3 Web Access Web Access Web Access Web Access Available Action Log Only Bypass DPI Blocking Action - block and send custom email reply Blocking Action - block without sending email reply Add Email Banner (append text at the end of email) Blocking Action - disable attachment and add custom text Blocking Action - custom block page Blocking Action - redirect to new location Blocking Action - Reset Connection Manage Bandwidth Step 9 In the second Application Control Action Settings screen (if it is displayed), in the Content text box, type the text or URL that you want to use, and then click Next. The second Application Control Action Settings screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content text box. Application Control 39 Using Application Control Step 10 In the Select Name for Application Control Policy screen, in the Policy Name text box, type a descriptive name for the policy, and then click Next. Step 11 In the Confirm Policy Settings screen, review the displayed values for the new policy and do one of the following: · · · To create a policy using the displayed configuration values, click Apply. To exit the wizard without creating the policy, click Cancel. Step 12 In the Application Control Policy Complete screen, to exit the wizard, click Close. Note You can configure Application Control policies without using the wizard. When configuring manually, you must remember to configure all components, including match objects, actions, email address objects if required, and finally, a policy that references them. Configuring Match Objects This section describes how to manually create a match object. [. . . ] In the Content text box, type the bytes as shown by Wireshark: 474554. In the App Control Policy Settings window (Figure 58), type a descriptive policy name and select HTTP Client for the policy type. In the Match Object drop-down list, select the match object that you just defined. For more information about creating a policy, see "Configuring an App Rules Policy" on page 48. 80 Application Control in SonicOS 5. 8 Using Application Control The policy settings are shown below. Figure 58 HTTP GET Blocking Policy Application Control 81 Using Application Control Reverse Shell Exploit Prevention The reverse shell exploit is an attack that you can prevent by using Application Control's custom signature capability (See "Custom Signature" on page 79). [. . . ]